Resource exhaustion in github.com/revel/revel
Description
Unsanitized input in Revel's query parser before v1.0.0 allows remote attackers to exhaust server memory via a crafted slice parameter, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unsanitized input in Revel's query parser before v1.0.0 allows remote attackers to exhaust server memory via a crafted slice parameter, causing a denial of service.
Vulnerability
Summary
CVE-2020-36568 is a denial of service (DoS) vulnerability in the Revel web framework for Go, affecting versions prior to 1.0.0. The root cause is unsanitized user input in the query parameter parser's bindSlice function, which processes slice parameters (e.g., name[]). When the framework binds a slice parameter, it extracts the index from the parameter name and uses it to allocate memory without any bounds checking [2].
Attack
Vector
An attacker can exploit this vulnerability by sending a single HTTP request with a crafted query parameter such as name[1234567890]=1. The parser attempts to allocate a slice large enough to accommodate the specified index, leading to excessive memory allocation and CPU consumption [2]. No authentication is required, and the attack can be performed remotely over the network. The vulnerability is triggered when the application uses Revel's slice parameter binding, either through controller method parameters (e.g., func (c App) DoS1(name []string)) or via c.Params.Bind() [2].
Impact
Successful exploitation causes the server's memory and CPU usage to spike, potentially triggering the operating system's out-of-memory (OOM) killer and crashing the application. This results in a denial of service, making the web application unavailable to legitimate users [1][2].
Mitigation
The vulnerability was patched in Revel v1.0.0. The fix was implemented in commit d160ecb72207824005b19778594cbdc272e8a605 and merged via pull request #1427 [1][3]. Users are strongly advised to upgrade to Revel v1.0.0 or later. As of this writing, no workarounds have been published, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/revel/revelGo | < 1.0.0 | 1.0.0 |
Affected products
2- Range: 0
Patches
23 files changed · +6 −9
none+1 −0 added@@ -0,0 +1 @@ +INFO 2020/07/11 22:52:29 revel revel.go:124: Paths app=/tmp/release/v1.0.0/go/src/github.com/revel/revel/testdata/app views=/tmp/release/v1.0.0/go/src/github.com/revel/revel/testdata/app/views revel=/tmp/release/v1.0.0/go/src/github.com/revel/revel base=/tmp/release/v1.0.0/go/src/github.com/revel/revel/testdata
README.md+2 −6 modified@@ -6,16 +6,12 @@ A high productivity, full-stack web framework for the [Go language](http://www.golang.org). -Current Version: 1.0.0-dev (2018-10-30) +Current Version: 1.0.0 (2020-07-11) -**Because of Default HTTP Server's graceful shutdown, Go 1.8+ is required.** +**Supports go.mod package management** ## Quick Start -Enter Go's path (format varies based on OS): - - cd $GOPATH - Install Revel: go get -u github.com/revel/cmd/revel
version.go+3 −3 modified@@ -6,11 +6,11 @@ package revel const ( // Version current Revel version - Version = "1.0.0-dev" + Version = "1.0.0" // BuildDate latest commit/release date - BuildDate = "2018-10-30" + BuildDate = "2020-07-11" // MinimumGoVersion minimum required Go version for Revel - MinimumGoVersion = ">= go1.8" + MinimumGoVersion = ">= go1.12" )
2 files changed · +17 −0
binder.go+7 −0 modified@@ -213,6 +213,8 @@ func bindSlice(params *Params, name string, typ reflect.Type) reflect.Value { numNoIndex := 0 sliceValues := []sliceValue{} + maxIndexBound := Config.IntDefault("params.max_index", 4096) + // Factor out the common slice logic (between form values and files). processElement := func(key string, vals []string, files []*multipart.FileHeader) { if !strings.HasPrefix(key, name+"[") { @@ -229,6 +231,11 @@ func bindSlice(params *Params, name string, typ reflect.Type) reflect.Value { // Handle the indexed case. if index > -1 { + // Just ignore illegal index, fix issue #1424 + if index > maxIndexBound { + binderLog.Error("Ignoring parameter for security reason", "index", index, "key", key) + return + } if index > maxIndex { maxIndex = index }
binder_test.go+10 −0 modified@@ -7,6 +7,7 @@ package revel import ( "encoding/json" "fmt" + "github.com/revel/config" "io" "io/ioutil" "os" @@ -98,6 +99,8 @@ var ( "invalidArr": {"xyz"}, "int8-overflow": {"1024"}, "uint8-overflow": {"1024"}, + "arrDoS[2]": {"2"}, + "arrDoS[65535]": {"65535"}, } testDate = time.Date(1982, time.July, 9, 0, 0, 0, 0, time.UTC) @@ -168,6 +171,7 @@ var binderTestCases = map[string]interface{}{ "priv": A{}, "int8-overflow": int8(0), "uint8-overflow": uint8(0), + "arrDoS": []int{0, 0, 2}, } // Types that files may be bound to, and a func that can read the content from @@ -213,6 +217,12 @@ func TestBinder(t *testing.T) { // Reuse the mvc_test.go multipart request to test the binder. params := &Params{} c := NewTestController(nil, getMultipartRequest()) + if Config == nil { + Config = config.NewContext() + defer func() { + Config = nil + }() + } ParseParams(params, NewRequest(c.Request.In)) params.Values = ParamTestValues
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.